Setup
- I have several EC2 instances with Amazon Linux 2023 for ECS.
- All have the latest SSM Agent 3.2.1542.0 installed,
ssm-cli get-diagnostics
shows all green.
- Role: ECS-Role with AWS-managed policies AmazonSSMManagedEC2InstanceDefaultPolicy and AmazonEC2ContainerServiceforEC2Role
- SSM Fleet Manager reads failure for InvokeInspectorLinuxSsmPlugin-do-not-delete
Expected behavior
I expect AWS Inspector to generate EC2 SBOM.
Actual behavior
AWS Inspector call Inspector SSM Plugin Association which in run executes /opt/aws/inspector/bin/inspectorssmplugin -read-params-store
. This crashes with the following error log and no SBOM is generated:
Tue Sep 19 15:07:01 2023 UTC scitor 2564381-0@ip-zzz.eu-central-1.compute.internal:0 [ERROR] MandoSecurityContentEvaluator/cmd/bpm.go:323 golang.a2z.com/inspectorssmplugin/cmd.getParameterValueFromSsm(): failed to retrieve parameter or parameter doesn't exist, parameterName=[/inspector-aws/service/inspector-linux-application-paths]
Tue Sep 19 15:07:01 2023 UTC scitor 2564381-0@ip-zzz.eu-central-1.compute.internal:0 [ERROR] MandoSecurityContentEvaluator/cmd/bpm.go:73 golang.a2z.com/inspectorssmplugin/cmd.ExecBpmScan(): error in deep scan paths retrieval from ssm store: operation error SSM: GetParameter, https response error StatusCode: 400, RequestID: zzz, api error AccessDeniedException: User: arn:aws:sts::zzz:assumed-role/ECS-Role/i-zzz is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:zzz:parameter/inspector-aws/service/inspector-linux-application-paths because no identity-based policy allows the ssm:GetParameter action
If I explicitly grant
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:eu-central-1:zzz:parameter/inspector-aws/service/inspector-linux-application-paths"
}
to ECS-Role, everything works as expected and SBOM is generated. I would expect AmazonSSMManagedEC2InstanceDefaultPolicy policy to contain the above permission.